Description of problem: The cron-script of awstats (/etc/cron.hourly/awstats) executes awstats like this: exec perl /usr/share/awstats/tools/awstats_updateall.pl But this is a problem with SELinux because a type transition cannot occur. To solve this easily drop the "perl" command: exec /usr/share/awstats/tools/awstats_updateall.pl Now the cron-script runs under the type of the file "/usr/share/awstats/tools/awstats_updateall.pl". Additionally the SELinux readme is out of date because a SELinux policy for awstats is already included (only for Fedora, RHEL will follow in the next releases).
Created attachment 296048 [details] Patch to remove "perl" from the cron-script
I'm sure you're right, because my SELinux knowledge is limited. However, could you describe how to demonstrate this failing? If I run /etc/cron.hourly/awstats on a machine with SELinux enabled, it doesn't seem to cause any obvious problems - I don't see any SELinux errors and the stats update runs successfully.
(In reply to comment #2) > I'm sure you're right, because my SELinux knowledge is limited. However, could > you describe how to demonstrate this failing? If I run /etc/cron.hourly/awstats > on a machine with SELinux enabled, it doesn't seem to cause any obvious problems > - I don't see any SELinux errors and the stats update runs successfully. I guess you are using SELinux targeted policy: $ cat /etc/selinux/config | grep "^SELINUXTYPE" The targeted policy is very relaxed and only secures several daemons like httpd, samba and so on. Scripts running locally and therefor from cron are not considered to be a security problem. This means they run under full access (type unconfined_t) and do not cause any error messages or something like this. If you are using the SELinux strict policy then you will definitely run into some AVC errors. Simply install the strict policy by "yum install selinux-policy-strict". But I would suggest to use a test environment for this because it could break some daemons/apps or whatever. The main problem with the cron script is that SELinux only does a type transition if you do it programmatically or via an execve() call. The latter isn't the case because you call "exec perl awstats.pl". This means that cron (running as system_crond_t for the scripts) executes perl (which results in an execve() call but /usr/bin/perl is labeled as bin_t) and in the end the awstats script runs under system_crond_t. If you would simply left out the perl command then the cron daemon would call the awstats.pl file directly resulting in an execve() call and while the awstats.pl script is labeled as awstats_exec_t a domain transition would occur. I hope I could make it a little bit more clear.
awstats-6.7-3.fc8 has been submitted as an update for Fedora 8
Fix has been checked into CVS; new package will be built soon.
awstats-6.7-3.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update awstats'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-2522
awstats-6.7-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Built in plague for EL-5 (job ID 38986)
The new version 6.7-2.el5 fixed the problem therefore I closed the bug.